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Abstract 

In recent years, a growing number of cryptosystems based on chaos have been pro- 
posed, many of them fundamentally flawed by a lack of robustness and security. 
This paper describes the security weaknesses of a recently proposed cryptographic 
algorithm with chaos at the physical level. It is shown that the security is trivially 
compromised for practical implementations of the cryptosystem with finite com- 
puting precision and for the use of the iteration number n as the secret key. Some 
possible countermeasures to enhance the security of the chaos-based cryptographic 
algorithm are also discussed. 
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1 Introduction 



In a world where digital communications are becoming ever more prevalent, 
there are still services working in analog form. Some examples of analog com- 
munications systems widely used today include voice communications over 
telephone lines, TV and radio broadcasting and radio communications (see 
Tabled]). Although most of these services are also being gradually replaced 
by their digital counterparts, they will remain with us for a long time. Usu- 
ally the need to protect the confidentiality of the information transmitted by 
these means might arise. Thus, there is a growing demand for technologies and 
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methods to encrypt the information so that it is only available in inteligible 
form to the authorized users. 



In a recent paper [T], a secure communication system based on the chaotic 
Baker map was presented, which is a scheme that encrypts wave signals. 
First, the analog signal limited in the bandwidth W is sampled at a frequency 
/ > 2W to avoid aliasing. At the end of the sampling process, the signal is 
converted to a sequence s° = {a®, . . . , s°} of real values. Next, the signal 
is quantized: the amplitude of the signal is divided into N subintervals and 
every interval is assigned a real amplitude value qk, k — 1, . . . , N, its middle 
point for example. Thus, a new sequence is generated by replacing each s° by 
the qk associated to the subinterval it belongs to: y° = {y®, y®, . . . , yf}, where 
each y® takes its value from the set {q±, . . . , qw}- Once the original wave sig- 
nal is sampled and quantized, and restricted to the unit interval, a chaotic 
encryption signal {x®} i=1 , < x° < 1, is used to generate the ciphertext. This 
signal is obtained by either sampling a chaotic one or by a chaotic mapping. 
For the purposes of our analysis, the process to generate the chaotic signal 
is irrelevant since our results apply equally to any signal. Finally, an ordered 
pair is constructed, localizing a point in the unit square. In order to 

encrypt y®, the Baker map is applied n times to the point (jx®, yf) to obtain: 



y?) = (2aT 1 mod 1,0.5 (y"" 1 



2x] 



n-l 



The encrypted signal is given by yf, where n is considered as the secret key of 
the cryptosystem. As a result, a plaintext signal with values y® G {qi, . . . , Qat}, 
is encrypted into a signal which can take 2 n N different values. For a more com- 
plete explanation of this cryptosystem, it is highly recommended the thorough 
reading of [T]. 



In the following two sections, the security defects caused by the Baker map 
realized in finite precision are discussed, and then the fact that the secret 
key n can be directly deduced from the ciphertext is pointed out. After the 
cryptanalysis results, which constitute the main focus of our paper, some coun- 
termeasures are discussed on how to improve the security of the chaotic cryp- 
tosystem. The last section concludes the paper. 



2 Convergence to zero of the digital Baker map 



The proposed cryptosystem uses the Baker map as a mixing function. The 
Baker map is an idealized one in the sense that it can only be implemented with 
finite precision in digital computers and, as a consequence, in this case it has a 
stable attractor at (0, 0). This is easy to see when the value of x is represented 
in binary form with L significant bits. Assuming x° = 0.6162 • ■ - bj ■ • ■ 
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(bj G {0, 1}), the Baker map runs as follows: 

x 1 = 2x° mod 1 = x° < 1 = 0.6 2 &3 ■■■by b L ^b L 0, (2) 

where <C denotes the left bit-shifting operation. Apparently, the most signif- 
icant bit b\ is dropped during the current iteration. As a result, after m > L 
iterations, x m = 0. Once x m = 0, it is obvious that y^ will exponentially con- 
verge to zero within a finite number of iterations, i.e., the digital Baker map 
will eventually converge to the stable attractive point at (0,0), as shown in 
Fig. dJ It is important to note that this result does not depend on the real 
number representation method, on the precision, or on the rounding-off algo- 
rithm used, since the quantization errors induced in Eq. ([2]) are always zeros 
in any case. 

Considering that in today's digital computers real values are generally stored 
following the IEEE floating-point standard [2j, let us see what will happen 
when the chaotic iterations run with 64-bit double-precision floating-point 
numbers. Following the IEEE floating-point standard, most 64-bit double- 
precision numbers are stored in a normalized form as follows: 

(-1) 663 x (1.6 5 i • • • b ) 2 x 2( fe62 - fe52 ) 2 - 1023 , (3) 

where 6j represent the number bits, (-^ means a binary number and the first 
mantissa bit occurring before the radix dot is always assumed to be 1 (except 
for a special value, zero) and not explicitly stored in b$$ - • • bo. When x° G (0, 1), 
assume it is represented in the following format: 

i e—1 53— i 

(I.651 • ■ -b t+1 l 0^0) 2 x 2" e = (0.0^0 16 5 i-^6 m l) 2 , (4) 

where 1 < e < 1022. Apparently, it is easily to deduce L — (e — 1) + (53 —i) = 
e + (52 - i). Considering < i < 52, L < 1022 + 52 = 1074. When x° is 
generated uniformly with the standard C rand() function in the space of all 
valid double-precision floating-point numbers, both e and i will approximately 
satisfy an exponentially decreasing distribution, and then it can be easily 
proved that the mathematical expectation of L is about 53 [3]. 

This means that the value of the secret key n must not be greater than 53. In 
other words, it is expected that each plaintext sample yf cannot be correctly 
decrypted when n is greater than 53 (or even smaller but close to 53), since 
the counter-iterating process is unable to get x° from x" = due to the loss 
of precision during the forward iterations. Figure [2] plots the recovery error 
obtained for different values of the secret key n when a 100-sample ciphertext is 
decrypted. It can be appreciated how the plaintext is correctly recovered only 
when n < 45. For n > 52, the system does not work at all. As a consequence, 
only n = 45 secret keys have to be tried to break a ciphertext encrypted 
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with this cryptosystem. This takes a modern desktop computer less than a 
second for moderated lengths of the plaintext. This attack is called a brute 
force attack, which breaks a cipher by trying every possible key. The feasibility 
of a brute force attack depends on the size of the cipher's key space and on 
the amount of computational power available to the attacker. With today's 
computer technology, it is generally agreed in the cryptography community 
that a size of the key space K < 2 100 « 10 30 is insecure [I]. Compare this 
figure with the key space K = 45 of the cipher under study. 



If the value of n could be arbitrarily enlarged, then the encryption process 
would slow down until it would be unusable in practice. Thus, from any point 
of view, this is an impractical encryption method because it is either totally 
insecure or infinitely slow, without any reasonable tradeoff possible. In pQ it is 
said that the encryption is applied to the wave signal instead of the symbolic 
sequence. Therefore, in Tabled] a review of some widely used multimedia com- 
munications systems with their bandwidth and sampling frequencies is given. 
These are the kind of signals that might be encrypted by the system proposed 
in [1]. Consider for example TV broadcasting, which transmits 12,000,000 
samples per second. It is impossible to iterate the Baker map billions of times 
for 12,000,000 samples in one second with average computing power. 



Finally, another physical limitation of the cryptosystem is that when n is very 
large, each encrypted sample would require a vast amount of bits to be 
transmitted, which would require in turn a transmission channel with infinite 
capacity, meaning that the system cannot work in practice. 



3 Determinism of the ciphertext 



Even assuming that the messages are encrypted with an imaginary computer 
with infinite precision and infinite speed, using an infinite-bandwidth channel, 
and an idealized version of the Baker map, the cryptosystem would be broken 
as well because the secret key n can still be derived from only one amplitude 
value of the ciphertext. To begin with, let us assume that two quantization 
levels are used, that is, N = 2. During the encryption process a binary tree is 
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generated in the following way: 



0.25 (0.01) ; 



0.75 (0.11) 



0.125 (0.001)2 
0.625 (0.101)2 
0.375 (0.011)2 
0.875 (0.111)2 



0.0625 (0.0001)2 
0.5625 (0.1001)2 
0.3125 (0.0101)2 
0.8125 (0.1101)2 
0.1875 (0.0011)2 
0.6875 (0.1011)2 
0.4375 (0.0111)2 
0.9375 (0.1111)2 



(5) 

where (-)a following the decimal number denotes its binary format. The fact 
that the ciphertext uses 2 n N discrete amplitudes constitutes its weakest point. 
It is possible to directly get the value of n with only one known amplitude. In 
Eq. (j3j), it is obvious that is always one value in the set 



2j + iy= 2n+1 - 1 

)j=0 



2 n+2 



2«+2 ' 



2 n+2 _ l 
2 n + 2 



(6) 



As mentioned above, in the case that the real values are stored in the IEEE- 
standard floating-point format [2], any amplitude value yf will be represented 
in the following form: 



V? = +l.bib2---bi x2" 



e-l 

0.0^0 I6162 ■■■bi, 



(7) 



where bi = 1. From Eq. ([6]), one can see that I + e = n + 2. Therefore, we can 
directly derive n = (7 + e) — 2, by checking which bit is the least significant 
bit (i.e., the least significant 1-bit) in all bits of yf . 

A more intuitive way to compute n from a single amplitude value, yf , consists 
of two steps: i) represent this amplitude value in fixed-point binary form; 
ii) count the bits in the fixed-point format of yf to determine the value of 
an integer B, which is the number of bits after the radix dot and before 

e-l 

the least significant bit, i.e., = 0. • • • I&1&2 • • • h • • • 0. Obviously, n = 

B=l+e 

B — 2. Similarly, for other values of N = 2 V , one can easily deduce that 
n = (I + e) — (v + 1) = B — (v + 1); and for N ^ 2 V , the value of n can still be 
derived easily, but the calculation algorithm depends on how the binary tree 
shown in Eq. (jHJ) is re-designed. 



Although in p] it is hinted that the value of n could be changed dynamically 
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based on some information of the encrypted trajectory, this idea would not 
further increase the security of the cryptosystem as long as 2 n N different 
amplitudes are still possible for each different n value. This means that the 
ciphertext value y™\ whatever n i; can only take values from the finite set 
defined in Eq. ([6]) for the given m. Hence, for each the value of can be 
computed as described above and the security is again compromised. 



4 Some possible counter-measures of enhancing the cryptosystem 

There are many ways to improve the security of the attacked cryptosystem. 
This section introduces three possible ones: changing the key, changing the 
2-D chaotic map, and masking the ciphertext with a secret signal. Note that 
only the basic ideas are given, and the concrete designs and detailed security 
analysis are omitted because this is not the main focus of our paper. 

4-1 Changing the key 

As mentioned above, in addition to the above- discussed security defects of 
the secret key n, using n as the secret key has another obvious paradox: from 
the point of view of the security, n should be as large as possible; while from 
the point of view of the encryption speed, n should be as small as possible. 
Apparently, n is not a good option as the secret key. 

Instead of using n, better candidates for the secret key must be chosen, such as 
the control parameter of the 2-D chaotic map and the generation parameter 
of the encryption signal x. If the former is chosen, the Baker map has to 
be modified to introduce some secret control parameters, as described in the 
following section. 

4-2 Changing the 2-D chaotic map 

As shown above, the multiplication factor 2 in the original Baker map is the 
essential reason of its convergence to (0, 0) in the digital domain, so the Baker 
map has to be modified to cancel this problem, or another 2-D chaotic map 
without this problem has to be used. 

A possible way is to generalize the original Baker map to a discretized version 
over a M x N lattice of the unit plane. For example, when M = N = 2, the 
lattice is composed of the following four points: (0.125,0.125), (0.125,0.725), 
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(0.725,0.125) and (0.725,0.725). A typical example of Baker map discretized 
in this way can be found in [5], reproduced next for convenience. 

First, the standard Baker map is generalized by dividing the unit square into 
k vertical rectangles, [-Fj_i, Fi) x [0,1), % = 1, . . . , k, Fi = p\ + p 2 + ■ ■ ■ + Pi, 
Fq = 0, such that P\ + ■ ■ ■ + Pk = 1- The lower right corner of the zth rectangle 
is located at Fi = p\ + • • • + p^. Formally the generalized map is defined by: 

B c (x,y)= (L( x - F ^pfl + F?J, (8) 

for (x,y) G [F^Fi+pt) x [0,1). 

The next step consists of discretizing the generalized map. If one divides an 
N x N square into vertical rectangles with N pixels high and iVj pixels wide, 
then the discretized Baker map can be expressed as follows: 

B d (r, s) = (^(r - Ni) + (s mod ^) , ^ (s - (s mod + N^j , (9) 

where the pixel (r, s) is with Ni < r < Ni + rii, < s < N . The sequence of 
k integers, ni,ri2, ■ ■ ■ ,rik, is chosen such that each integer n« divides N, and 
N = ni + ri2 + • • • + rift. The formula can be extended for M x N rectangles 
(see 0). 

With such a discretization, the negative convergence to zero can be removed. 
However, another negative digital effect, the recurrence of the orbit, arises in 
this case, since any orbit will eventually become periodic within MN itera- 
tions. This means that the security defect caused by the small key space is 
not essentially improved. Thus, the discretized Baker map must be used when 
the key is changed to be its discretization parameters. 

Another way is to use entirely different 2-D chaotic maps with one or more 
adjustable parameters, which can be used as the secret key instead of n. 

4-3 Masking the ciphertext with a secret pseudo-random signal 

An easy way to enhance the security of the cryptosystem is to mask the 
ciphertext with a secret pseudo-random signal, which can efficiently eliminate 
the possibility to derive the estimated value of n from one amplitude of the 
ciphertext. The secret masking sequence can be the chaotic encryption signal 
{x®}, and the parameters of controlling the generation process of {x®} should 
be added as part of the secret key. In this case, the ciphertext is changed from 
{yf } into {y™ + x®}. Note that the masking can be considered as an added 
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stream cipher to the original system. This is a common technique to achieve 
stronger ciphers [6]. 



5 Conclusions 



In summary, the new cryptosystem proposed in [T] can be broken due to the 
limitation of computers to represent real numbers. Even if an ideal computer 
with infinite precision were used to encrypt the messages, the cipher can still 
be broken due to the fact that the number and value of possible amplitude 
values in the ciphertext depend directly on the secret key n. Furthermore, 
for the cryptosystem to work with large values of n, an ideal computer with 
infinite computing speed, infinite storage capacity, and infinite transmission 
speed would be required. As a consequence, we consider that this cryptosystem 
should not be used in secure applications. Some possible countermeasures are 
also discussed on how to improve the security of the cryptosystem under study. 
An important conclusion of our work is that an idealized map cannot be used 
in a practical implementation of a chaos-based cipher. 
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Tables 



Table 1 

Multimedia communication systems and their bandwidth. 



Communication system Bandwidth (KHz) Sampling frequency (Ksamples/s) 



Voice over telephone 


3.3 


8 


Radio communications 


3.3 


8 


Radio Broadcast (AM) 


5 


10 


Radio Broadcast (FM) 


15 


30 


TV 


5500 


12000 



Figures 
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Number of iterations 

Fig. 1. Orbits followed by x and y in a practical implementation of the Baker map. As 
can be observed, (0, 0) constitutes a fixed point. The number of iterations required 
to converge to the origin depends on the precision used, but is always finite in a 
computer. 




Fig. 2. Number of errors when decrypting a 100-sample signal for different values 
of the secret key n using double-precision floating-point arithmetic. 



